2015. 06. 1

(Daming Wu)

Email: wdm1517@gmail.com

SeoulTech UCS Lab

Copyright ⓒ 2015 by USC Lab All Rights Reserved.

Effects of virtualization on information security

Table of Contents

1. Introduction

2. Literature review

3. Research methods

4. Data analysis

5. Discussion

6. Conclusion

2

3

1. Introduction

1. Introduction

4

The features of cloud computing technology may include super-large scale,

dynamic scalability and on-demand deployment.

How does/can virtualization benefit business?

• Centralized data storage makes data easier to back up, prevents redundancy,

and improves control. Better compliance to IT regulations and management.

• Virtualization helps to reduce the number of servers, and by doing so, it tends

to reduce the usage of power and cooling.

1. Introduction

5

The following 4 viewpoints, does the implementation of virtualization in an

enterprise significantly affect the resulting information security?

1. From the viewpoint of Physical and Environmental Security

2. From the viewpoint of communications and operations management

3. From the viewpoint of Access Control

4. From the viewpoint of Information System Acquisition, Development and

Maintenance

6

2. Literature Review

2.1 ISMS

7

ISO/IEC 27001(Information Security Management Systems Requirements)

specifies the requirements for establishing, implementing, operating, monitoring,

reviewing, maintaining and improving a documented Information Security

Management System within the context of the organization's overall business

risks.

The ISO/IEC 27001 standard provides the important definition and requirements

of an Information Security Management System (ISMS).

It is appropriate to be used and adapted by this study to assess the effects of

virtualization on information security.

2.1 ISMS

8

ISO 27001 Control Domain Objectives Controls

1 Information Security Policy 1 2

2 Organization of Information Security 2 11

3 Asset Management 2 5

4 Human Resources Security 3 9

5 Physical and environmental Security 2 13

6 Communication and Operation Management 10 32

7 Access Control 7 25

8 Information systems acquisition, development and maintenance 6 16

9 Information security incident management 2 5

10 Business Continuity Plan 1 5

11 Compliance 3 10

39 133

ISO/IEC 27001 provide the standard for Information Security Management

Systems Consists of 11 control sections, 39 control objectives, and 133 controls.

2.1 ISMS

9

PDCA Model

2.1 ISMS

10

Information

security issue Topic

Business

network security

• Network security tools, software and products: To enhance internet and

intranet security, security tools, products and/or software may be used.

• User's trust and perceived security in online environment.

• Virtual Private Network (VPN): Online resources can be remotely accessed

via the VPN.

Threats to

information

security

• Malware includes viruses, Trojan horses, spyware, computer worms, rootkits

and adware.

• Hacking tools and tricks: Hackers are always developing new tools, ways

and technologies of attack.

• Application-level attacks: Many hackers now have turned from O.S.-level

attacks to buffer-overflow and cross-site scripting attacks.

Security of

applications and

platforms

• O.S. security: A reasonably secure O.S. for PCs and servers is vital to

security.

• Risk management: The management and examination of weaknesses is

required.

• Cloud security; virtualization security concerns and assessment

regarding virtualization.

Information security issue review(1/2)

2.1 ISMS

11

Information

security issue Topic

Security auditing,

implementation

and standards

• ISO 27001: It includes auditing standards, guidelines and implementation.

• COBIT: It focuses on the IT processes

Enterprise

personnel

identification and

access control

• Personnel identification management: It is suggested to establish an

identification and password management policy.

• User authentication service: Methods such as single sign-on or smart card

authentication may be implemented.

• Web site user authentication: It is suggested that the systems only allow

authorized user to access contents and use single sign-on to prevent threats

from hacking.

Business data

protection

• Hard disk- and file-level encryption: Using encryption tools and/or software

to encrypt disks and/or files may keep data from unauthorized access in the

case of a leak.

• Information leakage prevention: Building an information leakage monitoring

system may uncover and/or prevent hostile eavesdropping.

• Database security control: The encryption of data and auditing of database

access may reduce the likelihood of security breach.

Information security issue review(1/2)

2.2. Virtualization technologies

12

Overview of virtualization environments

Ring 3

Ring 0

None-Root

Mode

Root Mode

2.2. Virtualization technologies

13

Server virtualizati

on issues Topic

Server

virtualization

management

tools

• Virtual machine tuning: Setting up highly-efficient but also responsive virtua

l machines can be very difficult for system administrators.

Backup and

disaster recovery

plans for virtualiz

ed systems

• Backup and disaster recovery: Server virtualization requires planning of bac

kup plans and disaster recovery.

Infrastructure and

framework of

server

virtualization

• Servers and virtualization: If virtualization is used to consolidate server usag

e, some infrastructure problems must be addressed.

• Network virtualization issues: Even if top-grade virtualization software and s

erver hardware are used, networking bottlenecks and/or other technical glitc

hes may bring down the system.

Virtualization literature review(1/2)

2.2. Virtualization technologies

14

Server virtualizati

on issues Topic

Server virtualizat

ion plans and usa

ge

• Cloud computing: The cloud computing architecture demands much more se

rver capacity and raw computing power.

Benefits of server

virtualization

• Server consolidation: Virtualization can reduce server costs.

Security monitori

ng

and policy of

server

virtualization

• Concerns regarding virtualization security. Cloud security through virtualizat

ion.

• Risk monitoring of virtualized servers: Virtualized systems do have their ow

n security risks. The O.S., virtualization tools and the network all have their

own share of risks. Security design for virtualized systems.

• Server virtualization guidelines: In an IT management plan, virtualized serve

rs must follow the policy and rules.

Virtualization literature review(2/2)

15

3. Research methods

3.1 Research Design

16

• Research design

The research framework is developed under ISO/IEC 27001 controls.

• Research subjects and sampling

This study requires that subjects have a certain level of understanding of the

virtualization information environment.

3.3 Designing the measurement tools for this research(1/2)

17

3.3 Designing the measurement tools for this research(2/2)

18

19

4. Data Analysis

4. Data Analysis

20

21

5. Discussion

5. Discussion

22

The four proposed research questions and hence research contributions are

addressed below.

• viewpoint of Physical and Environmental Security no significant differences in

information security.

• viewpoint of communications and operations management，virtualization

provides an isolated information environment for software development and

testing. Another reason may be that the fast backup and recovery enabled in

the virtualized environment allows practitioners to perform modifications and

improvements to information systems in a timely manner.

• viewpoint of Access Control，virtual machines on the hypervisor are well-

isolated and this feature does enable good access control.

• viewpoint of Information System Acquisition, Development and Maintenance

results show that no significant influences.

23

6. Conclusion

6. Conclusion

24

This research studies the influence of virtualized information environment on

information security.

The results of the analysis have shown that the implementation of virtualization in

enterprises may prove to be particularly beneficial to information security.

Q&A

25

Thanks!

26